User-ID Timeout Values are Ignored by Windows User-ID Agent When Set by XML

Printer Friendly Page


User-ID timeout values that are set, on a per user basis, by API XML are ignored by the Windows User-ID Agent. This causes IP-user mappings to remain visible in the User-ID Agent after the set timeout is reached. However, the Palo Alto Networks firewall configured to retrieve the IP-user mapping from the agent will correctly adhere to the set timeout values.


The following is an example entry of a User-ID timeout setting for the user, test\test1:




<entry name="test\test1" ip="" timeout="3" />








The Windows User-ID Agent does not proactively time out entries. This is the expected behavior. The agent keeps track of each entry's timestamp and timeout value. When the agent receives a get-all or query-ip request, it will then look at the entry. At that point, it will delete the entry if the timeout has been exceeded.


owner: mcooke

Tags (5)


I believe there exist a configuration option within the UserID agent that forces removal of entries when the timeout value expires. Please double check that option and amend the cause statement.


I am unaware of any such option.